As much as 66 percent of the Web may have been compromised by a newly revealed security flaw called Heartbleed.
So named by the researchers who discovered it, Heartbleed is a bug that affects an important internet security protocol called SSL. Specifically, it affects one particular implementation of SSL called OpenSSL.
For context (and to understand how bad Heartbleed is), here’s how SSL and OpenSSL work: Every time you log into a website, your login credentials are sent to that website’s server. But in most cases those credentials aren’t simply sent to the server in plain text — they’re encrypted using a protocol called Secure Sockets Layer, or SSL.
As with most protocols, different software makers have created different implementations of SSL. One of the most popular is an open-source implementation called OpenSSL, used by an estimated two thirds of currently active websites.
Heartbleed is a bug in OpenSSL. Hackers can exploit Heartbleed to get raw text from emails, instant messages, passwords, even business documents — anything a user sends to a vulnerable site’s server.
And the scariest part? The Heartbleed security flaw existed for nearly two years before it was discovered by legitimate researchers. That’s plenty of time for black-hat hackers to have discovered and exploited the bug.
So what can users do? Matthew Prince, CEO of content delivery network Cloudflare, one of the first businesses to be notified of the bug, told The Huffington Post that sadly, there’s not much normal netizens can do to protect themselves. “When you finish using a website, make sure to actively log out,” Prince advised — that makes it less likely that a hacker exploiting Heartbleed will be able to take your personal information.
Prince also put in a word of comfort: “Heartbleed is so serious — it’s such a big, bad event — that almost every major service is scrambling to clean it up as quickly as possible.” He estimated that most currently vulnerable websites will be “patched” by the end of the week.
Though a number of major websites have already been patched, others, including OKCupid, Flickr, Imagur and Yahoo.com, reportedly remain vulnerable to Heartbleed.
Users can test if their favorite websites are vulnerable here, though this service is reportedly not 100 percent reliable. Vulnerable sites should not be logged into until they’re patched — check those sites’ blogs or Twitter feeds for updates — and once a website has its patch in place, you should change your password for that site as soon as possible.
Source: Huffington Post